Options for PCI-DSS on AWS - file integrity monitoring and intrusion detection

security pci-dss amazon-web-services

I need to deploy some file integrity monitoring and intrusion detections software on AWS instances.

I really wanted to use OSSEC, however it does not work well in an environment where servers can auto deploy and shut down based on load, because it requires server managed keys to be generated. Including the agent in the AMI will not allow monitoring as soon as it comes up because of that.

There are many options out there, and several are listed in other posts on this site, however none that I've seen so far deal with the unique problems inherent in AWS or cloud based deployments in general.

Can anyone point me at some products, preferably open source, that we might use to cover those portions of PCI DSS that require this software?

Has anyone else achieved this on AWS?


Solution 1:

I think you can still use OSSEC. A while back i found a blog that seems to indicate that you can at least automate it with puppet, which would mean you could probably create a lot of excess keys, then just assign them as needed possibly.

http://myrondavis.org/2010/12/how-to-completely-automate-ossec.html

Solution 2:

There is an option to move to PKI instead of symmetric encryption with the ossec-authd. http://dcid.me/blog/2011/01/automatically-creating-and-setting-up-the-agent-keys/

This would make additions of auto spawned agents (scale out) to the server very easy. But removal of agents upon scale-in is the hard part. https://groups.google.com/forum/#!msg/ossec-list/cpoopmzBf3Q/JZObqvgAFi4J

One idea suggested on the above link is to have a monkey to clean up dead instances from the server periodically by querying AWS. That would work because once an instance dies as a result of scale-in, it will begin to fail the OSSEC server's keep-alive signals. So the monkey could detect inactive agents then check AWS to see if the instance is terminated and remove it from the OSSEC server.

Related

Deploy an AWS Auto Scaling groups using Chef Server
Can I re-use IP address of a failed Domain Controller for a new Domain Controller
How to not move permissions on fileserver file move
maintenance/installation of ruby gems/ruby on rails on Linux in general and Gentoo
Can I buy an IP address range without buying from or becoming a member of my regional NIC?
Best way to backup MySQL database server running in Hyper-V
How to index MySQL from ElasticSearch
mysql grant option
Should I Use the Default SQL Server 2012 Accounts or Make Specific Ones?
The User Profile Service Failed the Logon. User Profile Cannot Be Loaded
DHCP: One NIC and multiple subnets
Removing an orphaned AD domain: "a referral was returned from the server"